Pfsense 2.0 to adtran ta908e ipsec tunnel



  • Hello all,

    I have been able to get an ipsec tunnel between these 2 devices to connect but I cannot pass any traffic. Below is a debug log from the pfsense side. The remote side is an adtran ta908e. I have put 2 rules on ipsec tab in the firewall rules as follows:

    protocol any
    port any
    source lan net
    destination 192.168.0.x (single host)
    dest port any
    gateway any
    queue none

    AND

    protocol any
    port any
    source 192.160.0.x (same single host)
    dest 192.168.190.x (single host on pfsense side)
    port any
    gateway any
    queue none

    Debug log:

    Oct 24 21:22:10 racoon: DEBUG: received an R-U-THERE-ACK
    Oct 24 21:22:10 racoon: [IYS Corp Office]: [98.140.50.66] DEBUG: DPD R-U-There-Ack received
    Oct 24 21:22:10 racoon: DEBUG: succeed.
    Oct 24 21:22:10 racoon: DEBUG: seen nptype=11(notify)
    Oct 24 21:22:10 racoon: DEBUG: seen nptype=8(hash)
    Oct 24 21:22:10 racoon: DEBUG: begin.
    Oct 24 21:22:10 racoon: DEBUG: hash validated.
    Oct 24 21:22:10 racoon: DEBUG: 419509bc 58105254 58bcc6e0 4d858e60 7970c659
    Oct 24 21:22:10 racoon: DEBUG: HASH computed:
    Oct 24 21:22:10 racoon: DEBUG: hmac(hmac_sha1)
    Oct 24 21:22:10 racoon: DEBUG: 99ca6f85 00000020 00000001 01108d29 4b3e0aab 157e227c a312ef48 0fe1cd09 00000299
    Oct 24 21:22:10 racoon: DEBUG: HASH with:
    Oct 24 21:22:10 racoon: DEBUG: IV freed
    Oct 24 21:22:10 racoon: DEBUG: 4b3e0aab 157e227c a312ef48 0fe1cd09 08100501 99ca6f85 00000054 0b000018 419509bc 58105254 58bcc6e0 4d858e60 7970c659 00000020 00000001 01108d29 4b3e0aab 157e227c a312ef48 0fe1cd09 00000299
    Oct 24 21:22:10 racoon: DEBUG: decrypted.
    Oct 24 21:22:10 racoon: DEBUG: skip to trim padding.
    Oct 24 21:22:10 racoon: DEBUG: padding len=154
    Oct 24 21:22:10 racoon: DEBUG: 0b000018 419509bc 58105254 58bcc6e0 4d858e60 7970c659 00000020 00000001 01108d29 4b3e0aab 157e227c a312ef48 0fe1cd09 00000299
    Oct 24 21:22:10 racoon: DEBUG: decrypted payload, but not trimed.
    Oct 24 21:22:10 racoon: DEBUG: 38ded7d9 f400a46d
    Oct 24 21:22:10 racoon: DEBUG: decrypted payload by IV:
    Oct 24 21:22:10 racoon: DEBUG: 03998e1d 2849b79c a541e275 4d83fa0b 4bdfbc3d 5b97f928
    Oct 24 21:22:10 racoon: DEBUG: with key:
    Oct 24 21:22:10 racoon: DEBUG: encryption(3des)
    Oct 24 21:22:10 racoon: DEBUG: 04e54d44 98352138
    Oct 24 21:22:10 racoon: DEBUG: IV was saved for next processing:
    Oct 24 21:22:10 racoon: DEBUG: encryption(3des)
    Oct 24 21:22:10 racoon: DEBUG: begin decryption.
    Oct 24 21:22:10 racoon: DEBUG: 38ded7d9 f400a46d
    Oct 24 21:22:10 racoon: DEBUG: phase2 IV computed:
    Oct 24 21:22:10 racoon: DEBUG: encryption(3des)
    Oct 24 21:22:10 racoon: DEBUG: hash(sha1)
    Oct 24 21:22:10 racoon: DEBUG: ade79520 01884bc5 99ca6f85
    Oct 24 21:22:10 racoon: DEBUG: phase1 last IV:
    Oct 24 21:22:10 racoon: DEBUG: compute IV for phase2
    Oct 24 21:22:10 racoon: DEBUG: receive Information.
    Oct 24 21:22:10 racoon: DEBUG: 4b3e0aab 157e227c a312ef48 0fe1cd09 08100501 99ca6f85 00000054 36f64fa5 7caa63fb a0ca4a91 773a9f9c b9072722 43015819 3468056d b3acd160 9f509cb5 481f22cb 387976ef 7869cd58 04e54d44 98352138
    Oct 24 21:22:10 racoon: DEBUG: 84 bytes message received from 98.140.50.66[500] to 66.208.224.237[500]
    Oct 24 21:22:10 racoon: DEBUG: ===
    Oct 24 21:22:10 racoon: [IYS Corp Office]: [98.140.50.66] DEBUG: rescheduling send_r_u (5).
    Oct 24 21:22:10 racoon: [IYS Corp Office]: [98.140.50.66] DEBUG: DPD R-U-There sent (0)
    Oct 24 21:22:10 racoon: DEBUG: IV freed
    Oct 24 21:22:10 racoon: DEBUG: sendto Information notify.
    Oct 24 21:22:10 racoon: DEBUG: 4b3e0aab 157e227c a312ef48 0fe1cd09 08100501 b6de3dd1 0000005c 93435b8e 422e5a16 92d35c09 0304a459 d82793f9 b44e4e90 1889fc29 cb3140a2 2c66e465 d4dae200 ffbe9b3f 910b4545 cc8fe6f7 0ba748bc 9794d571 20377001
    Oct 24 21:22:10 racoon: DEBUG: 1 times of 92 bytes message will be sent to 98.140.50.66[500]
    Oct 24 21:22:10 racoon: DEBUG: send packet to 98.140.50.66[500]
    Oct 24 21:22:10 racoon: DEBUG: send packet from 66.208.224.237[500]
    Oct 24 21:22:10 racoon: DEBUG: sockname 66.208.224.237[500]
    Oct 24 21:22:10 racoon: DEBUG: 92 bytes from 66.208.224.237[500] to 98.140.50.66[500]
    Oct 24 21:22:10 racoon: DEBUG: encrypted.

    Again, the tunnel connect but will not pass traffic. I have read this is usually a mismatch in the configs between the 2 sides but I can't see that in this case. Is there something special I need to do between the adtran and pfsense? Any help appreciated.
    Thanks!
    ACL



  • Anyone????? I still could use some help with this…..

    Thanks.

    @aclouden:

    Hello all,

    I have been able to get an ipsec tunnel between these 2 devices to connect but I cannot pass any traffic. Below is a debug log from the pfsense side. The remote side is an adtran ta908e. I have put 2 rules on ipsec tab in the firewall rules as follows:

    protocol any
    port any
    source lan net
    destination 192.168.0.x (single host)
    dest port any
    gateway any
    queue none

    AND

    protocol any
    port any
    source 192.160.0.x (same single host)
    dest 192.168.190.x (single host on pfsense side)
    port any
    gateway any
    queue none

    Debug log:

    Oct 24 21:22:10 racoon: DEBUG: received an R-U-THERE-ACK
    Oct 24 21:22:10 racoon: [IYS Corp Office]: [98.140.50.66] DEBUG: DPD R-U-There-Ack received
    Oct 24 21:22:10 racoon: DEBUG: succeed.
    Oct 24 21:22:10 racoon: DEBUG: seen nptype=11(notify)
    Oct 24 21:22:10 racoon: DEBUG: seen nptype=8(hash)
    Oct 24 21:22:10 racoon: DEBUG: begin.
    Oct 24 21:22:10 racoon: DEBUG: hash validated.
    Oct 24 21:22:10 racoon: DEBUG: 419509bc 58105254 58bcc6e0 4d858e60 7970c659
    Oct 24 21:22:10 racoon: DEBUG: HASH computed:
    Oct 24 21:22:10 racoon: DEBUG: hmac(hmac_sha1)
    Oct 24 21:22:10 racoon: DEBUG: 99ca6f85 00000020 00000001 01108d29 4b3e0aab 157e227c a312ef48 0fe1cd09 00000299
    Oct 24 21:22:10 racoon: DEBUG: HASH with:
    Oct 24 21:22:10 racoon: DEBUG: IV freed
    Oct 24 21:22:10 racoon: DEBUG: 4b3e0aab 157e227c a312ef48 0fe1cd09 08100501 99ca6f85 00000054 0b000018 419509bc 58105254 58bcc6e0 4d858e60 7970c659 00000020 00000001 01108d29 4b3e0aab 157e227c a312ef48 0fe1cd09 00000299
    Oct 24 21:22:10 racoon: DEBUG: decrypted.
    Oct 24 21:22:10 racoon: DEBUG: skip to trim padding.
    Oct 24 21:22:10 racoon: DEBUG: padding len=154
    Oct 24 21:22:10 racoon: DEBUG: 0b000018 419509bc 58105254 58bcc6e0 4d858e60 7970c659 00000020 00000001 01108d29 4b3e0aab 157e227c a312ef48 0fe1cd09 00000299
    Oct 24 21:22:10 racoon: DEBUG: decrypted payload, but not trimed.
    Oct 24 21:22:10 racoon: DEBUG: 38ded7d9 f400a46d
    Oct 24 21:22:10 racoon: DEBUG: decrypted payload by IV:
    Oct 24 21:22:10 racoon: DEBUG: 03998e1d 2849b79c a541e275 4d83fa0b 4bdfbc3d 5b97f928
    Oct 24 21:22:10 racoon: DEBUG: with key:
    Oct 24 21:22:10 racoon: DEBUG: encryption(3des)
    Oct 24 21:22:10 racoon: DEBUG: 04e54d44 98352138
    Oct 24 21:22:10 racoon: DEBUG: IV was saved for next processing:
    Oct 24 21:22:10 racoon: DEBUG: encryption(3des)
    Oct 24 21:22:10 racoon: DEBUG: begin decryption.
    Oct 24 21:22:10 racoon: DEBUG: 38ded7d9 f400a46d
    Oct 24 21:22:10 racoon: DEBUG: phase2 IV computed:
    Oct 24 21:22:10 racoon: DEBUG: encryption(3des)
    Oct 24 21:22:10 racoon: DEBUG: hash(sha1)
    Oct 24 21:22:10 racoon: DEBUG: ade79520 01884bc5 99ca6f85
    Oct 24 21:22:10 racoon: DEBUG: phase1 last IV:
    Oct 24 21:22:10 racoon: DEBUG: compute IV for phase2
    Oct 24 21:22:10 racoon: DEBUG: receive Information.
    Oct 24 21:22:10 racoon: DEBUG: 4b3e0aab 157e227c a312ef48 0fe1cd09 08100501 99ca6f85 00000054 36f64fa5 7caa63fb a0ca4a91 773a9f9c b9072722 43015819 3468056d b3acd160 9f509cb5 481f22cb 387976ef 7869cd58 04e54d44 98352138
    Oct 24 21:22:10 racoon: DEBUG: 84 bytes message received from 98.140.50.66[500] to 66.208.224.237[500]
    Oct 24 21:22:10 racoon: DEBUG: ===
    Oct 24 21:22:10 racoon: [IYS Corp Office]: [98.140.50.66] DEBUG: rescheduling send_r_u (5).
    Oct 24 21:22:10 racoon: [IYS Corp Office]: [98.140.50.66] DEBUG: DPD R-U-There sent (0)
    Oct 24 21:22:10 racoon: DEBUG: IV freed
    Oct 24 21:22:10 racoon: DEBUG: sendto Information notify.
    Oct 24 21:22:10 racoon: DEBUG: 4b3e0aab 157e227c a312ef48 0fe1cd09 08100501 b6de3dd1 0000005c 93435b8e 422e5a16 92d35c09 0304a459 d82793f9 b44e4e90 1889fc29 cb3140a2 2c66e465 d4dae200 ffbe9b3f 910b4545 cc8fe6f7 0ba748bc 9794d571 20377001
    Oct 24 21:22:10 racoon: DEBUG: 1 times of 92 bytes message will be sent to 98.140.50.66[500]
    Oct 24 21:22:10 racoon: DEBUG: send packet to 98.140.50.66[500]
    Oct 24 21:22:10 racoon: DEBUG: send packet from 66.208.224.237[500]
    Oct 24 21:22:10 racoon: DEBUG: sockname 66.208.224.237[500]
    Oct 24 21:22:10 racoon: DEBUG: 92 bytes from 66.208.224.237[500] to 98.140.50.66[500]
    Oct 24 21:22:10 racoon: DEBUG: encrypted.

    Again, the tunnel connect but will not pass traffic. I have read this is usually a mismatch in the configs between the 2 sides but I can't see that in this case. Is there something special I need to do between the adtran and pfsense? Any help appreciated.
    Thanks!
    ACL



  • Is 192.168.190.x the LAN subnet of the PFsense or an additional network behind the PFsense?  You might need a rule on your LAN interface permitting ALL LAN subnets to any.  Also, if it is an additional network, you need a route on your PFsense to point 192.168.190.x out the local LAN interface.

    Same questions would apply for the other side of the tunnel as well…


Locked